Configuration Application Tool - version 3.7

Owned by Stine Granviken
Last updated: May 09, 2022
17 min read


 (lightbulb) This document is written in English only


Unable to render {include} The included page could not be found.

Tip!
This documentation applies only to .net-version of Buypass Access Manager. It provides a description for the LRA responsible in the organization of how to set up and configure the LRA


Configuration Application is a standalone application to provide GUI for configuration XML file. Configuration Application located in the same directory with installed LRA Client. Name of executable is ConfigurationApplication.exe.

Default setup folder has from v3.4 changed to Buypass Access Manager, so it has changed from:

Windows x32 – Program Files\Buypass\Lra Client

Windows x64 – Program Files (x86)\Buypass\Lra Client

To:

Windows x32 – Program Files\Buypass\Buypass Access Manager

Windows x64 – Program Files (x86)\Buypass\ Buypass Access Manager


Also link to ConfigurationApplication.exe is placed in Start menu (Windows 7).


Start page

Either you Open existing configuration files - LOCAL and MASTER, or you want to create a new configuration using New.

  • LOCAL file must always be available on the BAM client PC. The LOCAL configuration includes mappings and connections to drivers for readers, scanners, signpads, pinpads and local values connected to this and this BAM client only.
  • MASTER file can be available on the BAM client PC, but can also be common for all or more clients and therefore localized on a common file server. The MASTER configuration includes mappings and connections to CA, AD, Buypass, Issuing process and values connected to the organization independent on number of BAM clients.


Look of start page BAM Configuration Application Tool v3.7

 

Navigation

You can use TAB key to navigate between tabs, fields and buttons. To get to the menu use ALT key. Use arrow keys to navigate between options in menus and tabs. Most of controls have tooltips with additional description. Move mouse pointer over the needed parameter to read field description.


Id

Description

Comments

#1

Application menu

Available functions:

  1. Open configuration file by OpenFileDialog
  2. Create new local/master config
  3. Exit application

#2

Configuration tabs

Show the Start page tab and a tab for each open configuration file

#3

Configuration file path

Absolute URI of configuration file in actual tab, that is the tab you now are working with

#4

Tab control

Tab list of device and parameter subgroups

#5

Paremeters

Show all parameters connected to actual tab control, that is the subtab you now are working in

#6

Tool tip

Mouseover in parameter input field shows a help tooltip with additional info connected to actual parameter

#7

REVERT-button

Reverts all changes on all tabs with last saved parameters from present file

#8

SAVE-button

Save all changes in present file

#9

SAVE AS-button

Save file with last changes in new file


TEST-button

The TEST-button in the different TABs of the LOCAL and MASTER configuration will test actual devices and backend interfaces with parameters and values registered in each TAB.

It does not matter if the values are saved or not when testing, but you need to remember to save before exiting the application if you want to keep the new values given. New values are shown in red.

Details of what actually are tested are described specially for each tab or function - see describtion for each tab further down on this page.  


In version 3.7 we have added a "test-section"on each TAB showing the actual parameters or objects tested with labels and results. We have used the same principle as the startup of the BAM client.

See below connected to header Local_Test All tab or Master_Test All tab


Trace- and log files

All moves and functions run in BAM client will be stored in a separate log file which is stored at {ApplicationFolder}\Logs\trace.<date hour>.txt

All changes done in the Configuration Application Tool client will be stored in a separate log file which is stored at {ApplicationFolder}\Logs\configuration.trace.<date hour>.txt

A new file is greated every time the BAM client or Configuration client is started - date and timestamp is part of filename to differ the files. 


From BAM v3.7 it is possible to send trace files directly to Buypass Customer Service from the Start page TAB in the Configuration Application Tool client.

Using the SEND-button you will send the last 5 trace files for the BAM or Configuration client as attachments to emails.


From BAM v3.7.6_7875 these 5 trace-files will be packed in a ZIP-file and the ZIP-file protected with a password.
The password is automatically and randomly set and shown to the Administrator in the screen as shown below.

The password must be sent to the receiver of the mail, but remember to send in separate channel - for instance on sms.


BAM client trace files


Configuration Application Tool client trace files


Local Configuration

Local configuration file contains parameters that may be specific to each LRA client station. This file is stored locally.

Local_Common

Id

Description

Comments

#1

Master configuration

Path to master configuration file. Contains two functions:

  1. SELECT-button: Select file on disk by native SelectFileDialog
  2. OPEN FILE-button: Opens selected master configuration file

#2

Language

Language used in GUI for labels and guidelines.

#3

Location

Place or address of organization will be written in all PDF documents generated.
If organization have more LRA-clients situated in different locations - place can show which location.

#4TEST-buttonTesting if path and MASTER file is found.


Local_Smartcard

Id

Description

Comments

#1

FETCH-button

Refreshes list of available readers which can be chosen for Operator- and user card readers

#2

Operator card reader

Map one of the card readers from list to be the Operator card reader - that is where Operator must insert his/her smartcard when operating the BAM client

#3User card readerMap one of the card readers from list to be the User card reader - that is where User/Employee must insert his/her smartcard.

#4

TEST-button

Checks names and access to readers. In addition to Operator- and User cardreader the connection to the PinPad set up in installation will be tested - either the ACR88/89 or the Secure PinPad.


(warning) Choosing ACR88/89 a Service will be installed in order to support smartcard communication. This is not needed for Secure PinPad. 


Local_Scanner


Id

Description

Comments

#1

SELECT-button

Shows dialog to select scanner which is available on this machine

#2

Scanner name

Shows name of scanner when chosen

#3

TEST-button

Checks name and access to scanner and gets an image

* Windows Image Acquisition (WIA) service must be started on client PC.


Local_SignPad


Id

Description

Comments

#1

TEST-button

Ensures SignPad is accessible.

Driver for SignPad must be loaded separately as part of the BAM installation. No configuration needed.


Local_Logs

Changes from BAM v3.7.6.7875 - see details in releasenote section 3 and 4 - written in both Norwegian (on top of page) and English (bottom of page).

Id

Description

Comments

#1

Severity

Desired severity for default log (trace.log file in the app directory)

  1. Verbose - debugging trace
  2. Information - non critical problem
  3. Warning - Informational message
  4. Error - Recoverable error (default value)
  5. Critical - Fatal error or application crash
#2Reset severity level

Default value = 2

On startup of BAM client the severity level is checked. ERROR is default. If a higher log level (read: Verbose) then the log level will be reset to Error if more than number of days registered since last change.
The Operator will have a message in the startup screen - see below.

The log level is not change automatically to Error. The message will come until the Administrator have change level and saved the file here in Configuration Application Tool.


#3Delete trace files

Default value = 2

On startup of BAM client all log files older than number of days registered will be deleted.
That counts for trace-logs files for both BAM client and Configuration Application Tool client.


(warning) TIPS - in Norwegian

Vi har fått tilbakemelding om at noen brukersteder har fått feilmelding ved oppstart etter installsjon. Om så skjer så kan årsaken være at konfigurasjonen ikke har får satt dato og at det er datosjekken som feiler i oppstarten.

  • Åpne BAM Configuration Tool og velge Open filen LraConfig.Local.xml
  • Gå inn på fanen «Logs» og sette Severity til Error og lagrer. Om det allerede står Error – sett Severity til en annen log-level, lagre og så sett den tilbake til Error og lagre på ny 
  • Start BAM-klienten 
  • Dersom det feiler igjen og du får "Error retrieving response. Check inner details for more info" avslutt BAM-klienten 
  • Gå tilbake til forsiden av Configuration Tool og send tracefiler til Buypass Kundeservice kundeservice@buypass.no. Spør i eposten hvilket mobilnummer sms med zip-passordet skal sendes, så det blir sendt riktig



Local_Test All

In version 3.7 we have added a "test-section"on each TAB showing the actual parameters or objects tested with labels and results. We have used the same principle as the startup of the BAM client.


Id

Description

Comments

#1

TEST-button

Tests all local devices and parameters defined in the different LOCAL-tabs with current settings and shows aggregated results.



Master Configuration

Master configuration file contains parameters that are common to all LRA stations within one organization. This file is usually stored in a shared area.

Master_Common

Id

Description

Comments

#1

BAM mode

Different configurations of BAM-client:

  1. Local issues local certificates only,
  2. Buypass issues qualified certificates only
  3. Mixed issues both local and qualified certificates

Mixed mode is default value.

Unnecessary tabs or fields within tabs will be disabled based on which mode is set.

#2

Company name

Name of organization. Will be written in all PDF documents generated. If organization has more LRA-clients situated in different locations - name can show department.


Master_Key length

Id

Description

Comments

#1

Local certificates key length

Defines the certificate size generated on the smartcard.

Valid values:

  1. 0x80 : 1024 bits = 128 bytes
  2. 0xC0: 1536 bits = 192 bytes – default
  3. 0xE2 : 1808 bits = 226 bytes
  4. 0xFE : 2032 bits = 254 bytes

Value chosen must be in compliance with key length in template.


Master_Active directory - Common

Id

Description

Comments

#1

Domain

Defines the name of the domain controller. Example: testdc:389. FETCH-button gets available ADs and you will be able to choose the correct one.

#2

SearchBase

Defines the search path for searching for Users in selected AD. Different OU's (directories) in AD can be defined and included. See more details below under the heading Search Base.

#3

Use nested groups

If Users are connected to usergroups in AD, which in turn are linked to the certification groups rather than linking one and User to one or more certificate groups this check box must be ticked off.

#4User search mapping

Options - see more details below under User search mapping.

  1. UpnPrefix
  2. UpnFull
  3. SubjectCn
  4. DistinguishedName
  5. Certificate
#5ADD AD-buttonCreate new AD configuration. Will be created and available on the left tabs list.
#6COPY AD-buttonCopy current AD configuration into new tab, which then can be modified.
#7DELETE AD-buttonDelete currently selected AD configuration.

#8

TEST-button

Ensures AD is accessible. Checks configured domain name, searchbases, employee mappings and groups.


Search Base

Active Directory allows administrators to create a hierarchy within a domain that meets the needs of their organization. The object class of choice for building these hierarchies is the class organizationalUnit, a general-purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.

To define path to SearchBase OU-s you need to construct the entire distinguished name by following references to the root. You can use (*) in case of recursive search needed. Several SearchBases supported separated by semicolon.

For example: we have this Active Directory structure:

  1. If you need to search only in testOU_1 and not include subunits: SearchBase: ou=testOU_1, ou=TestUsers, ou=Infopulse;
  2. If you need to search in TestUsers and all subunits, you need to use sign of recursive search – “(*)”. SearchBase: ou=TestUsers, ou=Infopulse(*);
  3. If you need to search in OU-s testOU_1_1 and all subunits, and also search in testOU_2 without subunits: SearchBase: ou=testOU_1_1, ou=testOU_1, ou=TestUsers, ou=Infopulse(*); ou=testOU_2, ou=TestUsers, ou=Infopulse;

Note: Order of organization units must be specified from bottom to top.


User Search mapping with lookup in AD when Usercard present

  1. UpnPrefix - maps prefix UPN from Subject Alternative Name in certificate to samAccountName field in AD (samAccountName =value). This has been the only possible implementation until v3.4 and is default value
  2. UpnFull - maps full UPN from Subject Alternative Name in certificate to UPN field in AD (userPrincipalName =value)
  3. SubjectCN - maps value from Subject.CN field from certificate to samAccountName field in AD (samAccountName =value) Requires that value in Subject.CN = samAccountName
  4. DistinguishedName - maps value from Subject field from certificate to DistinguishedName field in AD (distinguishedName =value) DistinguishedName from certificate is used as user’s “absolute path” in AD at the time of certificate issuance
  5. Certificate - If chosen search (one of the above) does not return User the LRA will automatically do another search mapping whole certificate itself to userCertificate field in AD (userCertificate=\30\82\...)

Search connected to remote functions is not changed. Buypass Access uses UserName stored in the card as part of remote filename and this will be used as search criteria and mapped to AD as samAccountName.

Search connected to reports is also changed in v3.4. From this version and onward it is using the configuration in order to be consistent. Searches in reports can use one of the four first options (a-d). If option e) whole certificate, is set up in configuration the search will automatically switch to use option a) upn prefix = samAccountName, as in current implementation. CA report entry includes certificate metadata (SubjectName, NotBefore, NotAfter, UPN, DistinguishedName, etc.), but not certificate itself. It is possible to search with certificate in reports as well, but then the time of searching will significantly increase. LDAP filter for search using list of certificates will be huge and search in AD much slower even for moderate number of CA report entries.

Master_Active directory - Employee mappings


Id

Description

Comments

#1

FETCH DEF-button

Gets "smal" list of available mapping fields from AD. "Smal" list are the most used fields only:

  • givenName - Contains the given name (first name) of the user
  • sn - This attribute contains the family or last name for a user
  • mail - The list of email addresses for a contact
  • cn - The name that represents an object. Used to perform searches
  • sAMAccountName - The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager.
    This attribute must be 20 characters or less to support earlier clients
  • userPrincipalName - This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember.
    By convention, this should map to the user email name. The value set for this attribute is equal to the length of the user's ID and the domain name. For more information about this attribute, see User Naming Attributes
  • extentionAttribute1-15 - organization specified fields
#2FETCH EXT-buttonGets "large" list of all available mapping fields from AD. "Large" list is an extended list with ALL fields defined in AD, and will take some time to fetch.

#3

First name

First name should consist of first and middle name

#4

Last name

Last name should consist of last name only

#5

Email

Official email of User in the organization

#6

SSN mapping /

SSN Mode

SSN is a 11 digits number which consist of date of birth (6 digits on format ddmmyy) and social security number (5 digits).

Available SSN modes:

  1. Direct mapping of full SSN - field Full SSN is enabled and you need to register the connected AD-field
  2. Partly - fields Birthdate and Birthdate format are enabled and you need to register the connected AD-fields. Date format must be the correct format. Eks.: ddMMyyyy *
  3. Full SSN in two fields - fields Birthdate, Birthdate format and SSN2 are enabled and you need to register the connected AD-fields. Date format must be the correct format. Eks.: ddMMyyyy *
  4. None - no additional fields are enabled

(lightbulb) *) Date format is case sensitive. Additional information about date and time formats can be found here on Microsofts pages.

From v3.7 SSN-mapping is stored in the LraConfig.Master.XML file in a new way. The SSN-mode and the mapping, if required, will be remembered when updating the BAM-client,
and when configuring you can fetch the AD-fields based on the FETCH-search you run. When running a TEST the AD-fields configured in the SSN-mapping will be checked.


(lightbulb) (lightbulb)

If BAM client is configured to be in Buypass Mode (QC only) then IssuerKey is defined in the Master_Buypass tab - see description in this section below.
If BAM client is configured to be in Mixed Mode (LC+QC) then IssuerKey is defined here in the Master_AD_Employee tab. 


#7

Issuer Key mapping /

IssuerKey **

IssuerKey is referring to a key representing a User/employee. The issuerKey must be unique within an organization.

IssuerKey will be registered at Buypass together with user information and will be used as lookup on search and mapping between organisations and Buypass. The value of an issuerKey-field must not be changed without notifying Buypass.

#8TEST-buttonEnsures AD is accessible. Checks configured domain name, searchbases, employee mappings and groups.

** For any AD mapping fields you can use any AD attribute listed in AD Attributes List. For selected AD attribute «LDAP-Display-Name» should be used.


(warning)  On search the client is reading the configuration and searches AD based on this. If the fields in AD does not correspond to configuration the Operator may have strange information in GUI OR User will perhapes not be found. 

Excample: If AD has SSN registered in 1 field, but in the configuration this is mapped to 2 fields, then SSN will show the content from field 1 twice. 21036912345 in AD-field will be 2103691234521036912345 in GUI.


Master_Active directory - Group mappings

Id

Description

Comments

#1

FETCH-button

Gets list of available groups from AD.

Due to the fact that some organizations have ADs which have very many groups it is from v3.7 possible to limited the search for fetching groups.
You write the start of wanted value in the search input field with a * (star) at the end and you will get a list with all groups starting with the value you entered. See figure above marked with yellow.

#2

Local certificate group

Users belonging to Local certificate group will have local certificate issued (LC).

#3

Operator group

Users belonging to Operator group will have enrollment agent certificate issued (EA).

#4

Administrator group

Users belonging to Administrator group will have enrollment agent certificate issued (EA).

#5

Qualified certificate group

Users belonging to Qualified certificate group will have a par of qualified certificates issued (QC).


Master_Certificate Authority - CA


Id

Description

Comments

#1

Server name

Defines the common name of the CA configuration. SELECT-button allows to obtain CA name automatically.

Example: ca.testlab.local\Testlab CA

#2

FETCH-button

Gets certificate templates from chosen CA

#3

Logon template

Name of template - if you get OID the template is unknown

#4

Temporary template

Name of template - if you get OID the template is unknown

#5

Enrollment agent template

Name of template - if you get OID the template is unknown

#6

TEST-button

Ensures CA is accessible and template fields are not empty

(warning) In version 3.6.0 we implemented a new check so there are no longer possible to fetch CA templates without a corresponding OID.


Master_Reports


Id

Description

Comments

#1SELECT-buttonGives you the possibility to browse and set up a file area for the reports. You can also write path directly.

#2

Path

File area for storage of reports.

#3

TEST-button

When pushing the TEST-button we generate a file, store it on file area and delete it in order to check availability.


From BAM v3.7.6_7875 the reports will open in the selected editor (eg Excel) with UTF8 encoding. Norwegian special characters æøå / ÆØÅ and other special characters will visualize correct.


Master_Document Registry


Id

Description

Comments

#1SELECT-buttonGives you the possibility to browse and set up a file area for the PDF-documents. You can also write path directly.

#2

Path

File area for storage of PDF-documents, which are generated for every function started in BAM client to have tracks on issuance and administration of smartcards in organization..

#3

TEST-button

When pushing the TEST-button we generate a file, store it on file area and delete it in order to check availability.


Master_Remote functions

Id

Description

Comments

#1

Remote functions enabling checkbox

If organization is using remote functions having Users at remote locations this checkbox must be ticked off.

When box is ticked it will give access to more configurable parameters.

(lightbulb) Note that Buypass Access (NetID) need to be configured and set up for handling of Remote functions as well as the BAM client.

#2

Auto check request count

If number of remote certificate request should be counted and shown in Main menu this checkbox must be ticked off.

#3

Path to requests

Filearea for storage of remote certificate requests. Possible to browse using the SELECT-button.

#4

Path to responses

Filearea for storage of certificates generated which act as responses of remote requests. Possible to browse using the SELECT-button.

#5

Pooling interval

Defines the polling interval for responses in milliseconds. Default value is 2000.

#6

Max number of attempts

Defines the maximum retry times the BAM client tries to acces the remote file area. Default value is 30.

#7

TEST-button

When pushing the TEST-button we generate a file, store it on file area and delete it in order to check availability.

 (warning) Buypass Access (NetID) must have corresponding path for request and responses for Temporary cards (Enroll) end Renewal of certificates (Renew).

  • Request file names: {prefix}{userId}.{extension}
    • Rnv_{userId}.req
    • Tmp_{userId}.req
  • Response files: {prefix}{userId}.{extension}
    • Rnv_{userId}.crt
    • Tmp_{userId}.crt


Master_Buypass

From BAM v3.7.6_7875 we have implemented a new interface between BAM client and Buypass backend. For versions before v3.7.6 we use WebLTS which is a SOAP-based interface. From v3.7.6 we use a new REST-based interface. This is a part of Buypass' development and deployment architecture, and the new interface is the basis for future issuance of Buypass ID@Work - central stored PKI for mobile devices to be available for BAS customers during the fall 2018 / spring 2019.


In Local and Mixed Mode

(lightbulb) Endpoint address:  https://api.buypass.no/access-manager-api

In Buypass Mode

(lightbulb) Endpoint address:  https://api.buypass.no/access-manager-api


Id

Description

Comments

#1

Merchant ID

Merchant ID connected to organization. Will be provided by Buypass

#2

Timeout

Max time of waiting response from Buypass - the WebLTS interface

#3

Endpoint address

Address for BAM versions from 3.8.2: https://api.buypass.no/access-manager-api

#4

Merchant certificate serial number

Serial number of merchant certificate installed in MicroSoft certificate store. By using button SELECT you can obtain certificate serial key automatically. 

Certificate should be installed as described in BAM Client readme

#5

Buypass Mode Preregistration

Use SSN as IssuerKey

The Buypass Mode Preregistration parameter will show only when the parameter BAM Mode in MASTER_Common is set to value Buypass.


The organization can choose which value should be the IssuersKey, that is the key used by Buypass to identify the employees uniquely. The IssuersKey is used for searching and is the link between the organisation and Buypass. In Buypass Mode the Issuerskey will only be searchable from Buypass systems, but in Mixed Mode the IssuersKey will be the link between local AD and Buypass.

  • If IssuersKey is enabled - checkbox ticked off the SSN (fødselsnummer/FNR) will be used as unique key for the User and the field UserName will be disabled in PreRegistration GUI
  • If IssuersKey is disabled - checkbox NOT ticked off then UserName will be the unique key for the User and the field UserName will be enabled in PreRegistration GUI -field. SSN (fødselsnummer/FNR) will then be an information filed only


In Mixed Mode, when the parameter BAM Mode in MASTER_Common is set to value Mixed, the issuersKey is configured in the Master_AD_Employee mapping tab. See description in this section above.

#6

TEST-button

Here a request is signed using the Merchant certificate, the request is sent to Buypass and Buypass will give a response telling if the signing was verified OK or give an error message.


Master_Issue process

Id

Description

Comments

#1

Agreement sign required

If User should accept agreement on first time issuance of local certificates this ceckbox must be ticked off. NOTE: For first time issuance of qualified certificates the User must always accept the agreement.

#2

User scan and document scan required

If User should sign and get his ID document scanned on first time issuance of local certificates this ceckbox must be ticked off. NOTE: For first time issuance of qualified certificates the User must allways sign and get his ID document scanned.

#3Allow more Local certificatesEnables possibility to issue additional local certificates in ID card scenario.
#4Allow Operator identificationEnables possibility for the Operator to say that User is known and there are no need of extra identification. In smaller organizations where "everyone knows everyone" this will make the issuance process easier, .... but the Operator still have the responsibility to identify the user.

#4

Document scan required on replace

If User should get his ID document scanned on issuance of replacement of both local and qualified certificates this ceckbox must be ticked off.

#5QC: Renewal limit, weeks

Already issued qualified certificates (QC) in card will not be renewed if QCs are issued for less than 12 weeks ago (default) in cases where you are trying to issue new LC or renew existing LC in User card. This is mostly used when Allow More Local Certificate is enabled.

#6

Third party identification enabled

If organization allow 3.party identification in cases where User has forgotten his own ID document this checkbox must be ticked off. 3.party identification means another colleague in organization is using his smartcard to verify the Users identity.

#7

Timeout

Third party card waiting timeout.


Master_Test All


Id

Description

Comments

#1

TEST-button

Tests all backends/devices and parameters defined in the different MASTER-tabs with current settings and shows aggregated results.



Content this page  

Unable to render {include} The included page could not be found.

Unable to render {include} The included page could not be found.

 

Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
 
Unable to render {include} The included page could not be found.